Menu
We are using ETag headers for conditional requests in our REST API. Some resources have different contents based on the current authenticated user (some users see more, some other less information). The ETag is currently computed on the "full" resources, i.e. all users get the same ETag unless the overall resource changes. This isn't a problem unless a client caches the ETag of a resource across user sessions which seems to happen in browsers. The second user will then see the cached version of the resource from the first user since the server tells the client/browser that it didn't change. This can even turn into a security issue if the first user is allowed to see more than the second user.
I was searching the Internet but didn't find any information regarding ETags and user sessions. Are there any best practices or recommendations how to handle such cases?
674
asked Oct 15 '25 13:10
It's more than a best practice—the standard requires you to send a unique ETag if the representation of a resource differs:
A "strong validator" [such as ETag] is representation metadata that changes value whenever a change occurs to the representation data that would be observable in the payload body of a 200 (OK) response to GET.... A strong validator is unique across all versions of all representations associated with a particular resource over time.
And the problems you noted with browser caching are actually much more serious, since intermediate caches can also store the data and then serve it inappropriately to people all over the world.
So the answer is simple—compute a unique ETag for every distinct representation of the data.
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
